Chris says there, "In some circumstances with multi-WAN you can't use any and that's probably where you're going wrong."

Question 1:

Can anybody explain what those circumstances are? I'd like to offer a patch that would keep users out of that situation.

Question 2:

I've tried port forwarding from my WAN CARP address to the LAN CARP address. This works for TCP OpenVPN connections, but for UDP OpenVPN connections, it doesn't. If I try logging on the associated filter rule, I never see anything. If I capture packets on the hardware interface, I see inbound packets. If I capture on the 'vip' interface, I don't see any packets (should I?).

Anyway, I suspect somehow TCP's state tracking is helping NAT work here, but I've seen others post that they've got this working with UDP, so I'm wondering what might be different.